VulnerableCode Package Details - pkg:gem/faraday@2.14.2

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-8d5e-zyuy-53g3	Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2 - protocol-relative URI objects still bypass host scoping ## Summary `Faraday::Connection#build_exclusive_url` still allows protocol-relative host override when the request target is provided as a `URI` object instead of a `String`. This bypasses the February 2026 fix for `GHSA-33mh-2634-fwr2` and can redirect a request built from a fixed-base `Faraday::Connection` to an attacker-controlled host while preserving connection-scoped headers such as `Authorization`. ## Supporting Materials - Existing advisory for the original string-based issue: GHSA-33mh-2634-fwr2 - Existing CVE for the original string-based issue: CVE-2026-25765 - Existing regression tests for the string-only fix: - spec/faraday/connection_spec.rb:314-345 - Existing test proving supported URI request input: - spec/faraday/request_spec.rb:26-31 ## Impact The direct consequence is off-host request forgery from code paths that believe they are constrained to a fixed base URL. If the connection carries default headers or query parameters, those values are forwarded to the attacker-selected host.	CVE-2026-33637 GHSA-5rv5-xj5j-3484

Vulnerability

Summary

Aliases

VCID-8d5e-zyuy-53g3

Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2 - protocol-relative URI objects still bypass host scoping ## Summary `Faraday::Connection#build_exclusive_url` still allows protocol-relative host override when the request target is provided as a `URI` object instead of a `String`. This bypasses the February 2026 fix for `GHSA-33mh-2634-fwr2` and can redirect a request built from a fixed-base `Faraday::Connection` to an attacker-controlled host while preserving connection-scoped headers such as `Authorization`. ## Supporting Materials - Existing advisory for the original string-based issue: GHSA-33mh-2634-fwr2 - Existing CVE for the original string-based issue: CVE-2026-25765 - Existing regression tests for the string-only fix: - spec/faraday/connection_spec.rb:314-345 - Existing test proving supported URI request input: - spec/faraday/request_spec.rb:26-31 ## Impact The direct consequence is off-host request forgery from code paths that believe they are constrained to a fixed base URL. If the connection carries default headers or query parameters, those values are forwarded to the attacker-selected host.

CVE-2026-33637
GHSA-5rv5-xj5j-3484

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-05T22:04:40.615201+00:00	GHSA Importer	Fixing	VCID-8d5e-zyuy-53g3	https://github.com/advisories/GHSA-5rv5-xj5j-3484	38.6.0
2026-06-04T17:00:44.395962+00:00	GithubOSV Importer	Fixing	VCID-8d5e-zyuy-53g3	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-5rv5-xj5j-3484/GHSA-5rv5-xj5j-3484.json	38.6.0

2026-06-05T22:04:40.615201+00:00

GHSA Importer

Fixing

VCID-8d5e-zyuy-53g3

https://github.com/advisories/GHSA-5rv5-xj5j-3484

38.6.0

2026-06-04T17:00:44.395962+00:00

GithubOSV Importer

Fixing

VCID-8d5e-zyuy-53g3

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-5rv5-xj5j-3484/GHSA-5rv5-xj5j-3484.json

38.6.0